A chroot is a way of isolating applications from the rest of your computer, by putting them in a jail. This is particularly useful if you are testing an application which could potentially alter important system files, or which may be insecure.

This document explains the basic concepts surrounding the use of a chroot and provides instructions for getting a basic chroot up and running.

Basic Concepts

A chroot is basically a special directory on your computer which prevents applications, if run from inside that directory, from accessing files outside the directory. In many ways, a chroot is like installing another operating system inside your existing operating system.

Technically-speaking, chroot temporarily changes the root directory (which is normally /) to the chroot directory (for example, /var/chroot). As the root directory is the top of the filesystem hierarchy, applications are unable to access directories higher up than the root directory, and so are isolated from the rest of the system. This prevents applications inside the chroot from interfering with files elsewhere on your computer.

Note that it is possible for software from outside the chroot to access files inside the chroot.

Accessing graphical applications inside the chroot

You can run graphical applications within a chroot, but you need to provide an X server for them to run in first. The easiest way to do this is to set the display of the chroot system to be identical to the root display of your system's main X server and provide access to it.

In other words, in the chroot shell type

export DISPLAY=:0.0

And in the system shell type

xhost +

Any X command you type will now get its own window as you're used to, but as it is running inside the chroot jail it will not be able to see your normal file system.

You don't have to enter the chroot shell to access its commands. Suppose you want to run Firefox in a chroot jail in order to avoid security problems with signed Java applets and other components which otherwise would have access to your personal files. You can do this by running the command

gksudo chroot /var/chroot firefox -DISPLAY=:0.0

This command can also be invoked from the menu, or a panel applet or desktop shortcut.

If you want the chroot to have its own display, you need to create this display with the Xnest command. Perform the following instructions outside the chroot:

Install the xhost and xnest packages.

Ensure that /proc is mounted and DNS resolution is set-up within the chroot (see above).

Type the following into a Terminal:

Xnest -ac :1

A blank Xnest window should appear.

Open another Terminal and type the following to enter the chroot:

sudo chroot /var/chroot

While in the chroot shell, type the following:

export DISPLAY=localhost:1

If you have problems starting graphical applications, type the above command again, but replace localhost with 127.0.0.1

Start a window manager inside the chroot. For example, install the metacity package and type:

metacity &

Start a graphical application inside the chroot (making sure that you installed it in the chroot first). It should appear in the Xnest window.

You can install a complete Ubuntu desktop in the chroot by installing the ubuntu-desktop package. GNOME can be started from the command line by running the gnome-session command.

References and further information

Notes

It seems to advise installing and using schroot in lieu of dchroot would be more consistent. Additionally, (I don't have a reference at my fingertips) my memory is dchroot is being deprecated with schroot taking its place?

If there is agreement on using schroot, then in lieu of sudo chroot /var/chroot, use sudo schroot -c gutsy -d and this will still keep things basic by using schroot defaults.

In addition, by using schroot then all binds are engaged and removed automatically at chroot enter and exit. This is important to minimize accidental erasures of data. Thus, I think in a basic help page like this to warn users not to erase/delete/trash_can an entire chroot or entire chroot directories until chroot is exited (and all binds removed). For schroot, all automatically created binds will be removed on exit and accidental erasure of entire /home (often heard about) can be minimized. (It seems either people forget or don't comprehend bi-directional nature of mount --bind.)